Skip to content

Instantly share code, notes, and snippets.

@mcastelino

mcastelino/kata-docker-dns.md

Created March 20, 2018 17:34
Show Gist options
  • Save mcastelino/b11e2fcfee9f2509b74240e23c0545fc to your computer and use it in GitHub Desktop.
Save mcastelino/b11e2fcfee9f2509b74240e23c0545fc to your computer and use it in GitHub Desktop.
Download ZIP
Supporting docker DNS resolution in Kata Containers
Raw
kata-docker-dns.md

Issue

clearcontainers/runtime#121

clearcontainers/runtime#1042

Problem

                                                dockerd
                                                 +         Step 1:
                Step 2:                      +   |     +   iptables sends traffic to dockerd
                Dockerd sends non local DNS  |   |  +  |
                to host dns via      +--------------------------------------------------------------------+
                the veth interface   |       |   |  |  |                                                  |
                                     |       |   |  |  |                                                  |
docker bridge                        |       |   |  |  |                                                  |
                                     |       |   |  |  |                                                  |
          +                          |       |   |  |  |                                                  |
          |                          |       |   |  |  |                                                  |
          |                          |       |   +  |  |           +-----------------------------+        |
          |                          |       |      |  |           |                             |        |
          |                          |       |      |  |           |                             |        |
          |                          |       |      |  |           |                             |        |
          |                          |       |      |  |           |                             |        |
          |                          |       |      |  +----------------------+                  |        |
          |                          |       |      |              |          +                  |        |
          |                          |       |      |              |                             |        |
          |                          |       | Veth |              |           eth0              |        |
          +-------------------------------------------------------------------+                  |        |
          |                          |       |      |              |                             |        |
          |   +------------------------------+      |              |                             |        |
          |                          |              |              |  127.0.0.11:53              |        |
          |                          |              |              |                             |        |
          |                          |              |              |                             |        |
          |                          |              |              |                             |        |
          |                          |              +------------------------+                   |        |
          |                          |                             |                             |        |
          |                          |  Step 3: dockerd responds   |                             |        |
          +                          |  to DNS request             +-----------------------------+        |
                                     |                                                                    |
                                     |                                                                    |
                                     |                                                                    |
                                     |                                                                    |
                                     |                                                                    |
                                     |                                                                    |
                                     |                                                                    |
                                     |                                                                    |
                                     +--------------------------------------------------------------------+

Macvtap

             +--------------------------------------------------------------------------------------+
             |                                                                                      |
+            |                                                                                      |
|            |                                                                                      |
|            |                                                                                      |
|            |                                                                                      |
|            |                                                                                      |
|            |                                                                                      |
|            |                                    +--------------------------------+                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |            +----------------------------+                           |                |
+-------------------------+                       |    |   Container IP and mac    |                |
|            |            +----------------------------+                           |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |      The host side namespace       |                                |                |
|            |      does not have IP or MAC       |                                |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |                                    |                                |                |
|            |                                    +--------------------------------+                |
|            |                                                                                      |
|            |                                                                                      |
|            |                                                                                      |
+            |                                                                                      |
             |                                                                                      |
             |                                                                                      |
             |                                                                                      |
             |                                                                                      |
             |                                                                                      |
             +--------------------------------------------------------------------------------------+

tc based solution

                                                  +
                                                  | dockerd
                                                  |
                                                  |
                                                  |
                                                  |
                                                  |
            +---------------------------------------------------------------------------------------+
            |                                     |                                                 |
            |                                     |                                                 |
            |                                     |                                                 |
            |   Dst 127.0.0.11         Src        |       Dst         Src == Container              |
            |   Src != Container      127.0.0.11  |       127.0.0.11  Port 53                       |
            |                          Dst !=     |                  +----------------------+       |
            |                          container  +        ^         |                      |       |
            |                ^                             |         |                      |       |
            |                |           |                 |         |                      |       |
            |                |           |                 |         |                      |       |
            |                |           |     DNS traffic |         |                      |       |
            |                |           |                 |         |                      |       |
            |                |           |                 |         |                      |       |
            |                |           v                 +         |                      |       |
            |                                                        |                      |       |
      +---------------------------------------+           +---------------------+           |       |
            |                                                        |                      |       |
            |                                                        |                      |       |
            |                                     tc rules           |                      |       |
Note: The ve|h retains its IP                                        |                      |       |
and mac addr|ss and is in the              +----------------->       |                      |       |
network ns  |                                    non 127.0.0.11 traffic                     |       |
            |                                                 +      |                      |       |
            |                              <------------------+      |                      |       |
            |                                                        |                      |       |
            |                                                        +----------------------+       |
            |                                                                                       |
            |                                                                                       |
            |                                                                                       |
            |                                                                                       |
            |                                                                                       |
            |                                                                                       |
            |                                                                                       |
            |                                                                                       |
           ++---------------------------------------------------------------------------------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment